replace links/references to ~/private/FOO with just ~/FOO
This commit is contained in:
parent
1bcfccf7e3
commit
057b9e3fed
2
TODO.md
2
TODO.md
|
@ -46,7 +46,7 @@
|
|||
- otherwise anyone can `systemd-run --user ...` to potentially escape a sandbox
|
||||
- <https://github.com/flatpak/xdg-dbus-proxy>
|
||||
- remove `.ssh` access from Firefox!
|
||||
- limit access to `~/private/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
|
||||
- limit access to `~/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
|
||||
- port sane-sandboxed to a compiled language (hare?)
|
||||
- it adds like 50-70ms launch time _on my laptop_. i'd hate to know how much that is on the pinephone.
|
||||
- make dconf stuff less monolithic
|
||||
|
|
|
@ -9,9 +9,9 @@ in
|
|||
{
|
||||
sane.user.persist.byStore.private = [ ".local/share/keyrings" ];
|
||||
|
||||
sane.user.fs."private/.local/share/keyrings/default" = {
|
||||
sane.user.fs.".local/share/keyrings/default" = {
|
||||
generated.command = [ "${init-keyring}/bin/init-keyring" ];
|
||||
wantedBy = [ config.sane.fs."/home/colin/private".unit ];
|
||||
# wantedBy = [ config.sane.fs."/home/colin/private".unit ];
|
||||
wantedBeforeBy = [ ]; # don't created this as part of `multi-user.target`
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
|
||||
# this initializes it to be plaintext/unencrypted.
|
||||
|
||||
ringdir=/home/colin/private/.local/share/keyrings
|
||||
ringdir=/home/colin/.local/share/keyrings
|
||||
if test -f "$ringdir/default"
|
||||
then
|
||||
echo 'keyring already initialized: not doing anything'
|
||||
|
|
|
@ -248,7 +248,7 @@ in
|
|||
"Pictures/servo-macros"
|
||||
] ++ lib.optionals cfg.addons.browserpass-extension.enable [
|
||||
# browserpass needs these paths:
|
||||
# - private/knowledge/secrets/accounts: where the encrypted account secrets live
|
||||
# - knowledge/secrets/accounts: where the encrypted account secrets live
|
||||
# at least one of:
|
||||
# - .config/sops: for the sops key which can decrypt account secrets
|
||||
# - .ssh: to unlock the sops key, if not unlocked (`sane-secrets-unlock`)
|
||||
|
@ -257,7 +257,7 @@ in
|
|||
# - see if ssh has a more formal type of subkey system?
|
||||
".ssh/id_ed25519"
|
||||
# ".config/sops"
|
||||
"private/knowledge/secrets/accounts"
|
||||
"knowledge/secrets/accounts"
|
||||
];
|
||||
fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {}; #< needs to be created, not *just* added to the sandbox
|
||||
|
||||
|
@ -341,9 +341,9 @@ in
|
|||
'';
|
||||
|
||||
# TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
|
||||
env.PASSWORD_STORE_DIR = "/home/colin/private/knowledge/secrets/accounts";
|
||||
env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
|
||||
# alternative to PASSWORD_STORE_DIR, but firejail doesn't handle this symlink well
|
||||
# fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "private/knowledge/secrets/accounts";
|
||||
# fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";
|
||||
};
|
||||
})
|
||||
(mkIf config.sane.programs.firefox.enabled {
|
||||
|
|
|
@ -28,7 +28,6 @@ in
|
|||
"dev"
|
||||
"knowledge"
|
||||
"nixos"
|
||||
"private/knowledge"
|
||||
"ref"
|
||||
".ssh/id_ed25519"
|
||||
];
|
||||
|
|
|
@ -98,7 +98,6 @@ in
|
|||
"dev"
|
||||
"knowledge"
|
||||
"nixos"
|
||||
"private/knowledge"
|
||||
"records"
|
||||
"ref"
|
||||
"tmp"
|
||||
|
|
|
@ -42,7 +42,7 @@ in
|
|||
# dconf achieves atomic writes via `mv`, so a symlink doesn't work
|
||||
# moreover, i have to persist the *whole* directory:
|
||||
# - `user-db:tangram/user` causes a schema failure
|
||||
# - bind-mounting `~/private/.config/dconf/tangram` causes dconf to try a cross-fs `mv`, which fails
|
||||
# - bind-mounting `~/.config/dconf/tangram` causes dconf to try a cross-fs `mv`, which fails
|
||||
# - dconf provides no way to specify an alternate ~/.config/dconf dir, except by overriding XDG_CONFIG_HOME
|
||||
# { type = "file"; path = ".config/dconf/tangram"; method = "bind"; }
|
||||
# ".config/dconf"
|
||||
|
|
|
@ -34,7 +34,7 @@ lib.mkIf config.sane.persist.enable
|
|||
"noauto" # don't try to mount, until the user logs in!
|
||||
"nofail"
|
||||
# "nodev" # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev`
|
||||
# "noexec" # handful of scripts in ~/private/knowledge that are executable
|
||||
# "noexec" # handful of scripts in ~/knowledge that are executable
|
||||
# "nosuid" # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also nosuid is default)
|
||||
"allow_other" # root ends up being the user that mounts this, so need to make it visible to other users.
|
||||
# "quiet"
|
||||
|
|
|
@ -16,12 +16,12 @@ wipe_browser() {
|
|||
# remove chromium/epiphany/firefox/librewolf artifacts
|
||||
rm -rf \
|
||||
~/.cache/BraveSoftware/* \
|
||||
~/.cache/chromium \
|
||||
~/.cache/chromium/* \
|
||||
~/.cache/epiphany/* \
|
||||
~/.cache/librewolf/* \
|
||||
~/.cache/mozilla/firefox/* \
|
||||
~/.config/BraveSoftware/* \
|
||||
~/.config/chromium \
|
||||
~/.config/chromium/* \
|
||||
~/.librewolf/default/* \
|
||||
~/.local/share/epiphany/* \
|
||||
~/.mozilla/* \
|
||||
|
@ -46,9 +46,9 @@ wipe_flare() {
|
|||
|
||||
dconf reset -f /de/schmidhuberj/Flare/
|
||||
|
||||
rm -rf ~/.local/share/flare
|
||||
rm -rf ~/.local/share/flare/*
|
||||
|
||||
echo "you may repair Flare. after doing so, mv ~/.local/share/flare ~/private/.local/share/flare to persist"
|
||||
echo "Flare is wiped: you may now repair it."
|
||||
}
|
||||
|
||||
wipe_fractal() {
|
||||
|
|
Loading…
Reference in New Issue
Block a user